[asterisk-commits] russell: branch group/security_events r199734 - /team/group/security_events/m...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Jun 9 07:31:15 CDT 2009


Author: russell
Date: Tue Jun  9 07:31:11 2009
New Revision: 199734

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199734
Log:
Report invalid request formatting events for AMI, add one more request not allowed event

Modified:
    team/group/security_events/main/manager.c

Modified: team/group/security_events/main/manager.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/main/manager.c?view=diff&rev=199734&r1=199733&r2=199734
==============================================================================
--- team/group/security_events/main/manager.c (original)
+++ team/group/security_events/main/manager.c Tue Jun  9 07:31:11 2009
@@ -1891,6 +1891,36 @@
 	ast_security_event_report(AST_SEC_EVT(&req_not_allowed));
 }
 
+static void report_req_bad_format(const struct mansession *s, const char *action)
+{
+	struct sockaddr_in sin_local = { 0, };
+	struct ast_str *session_id = ast_str_alloca(32);
+	struct ast_str *request_type = ast_str_alloca(64);
+	struct ast_security_event_req_bad_format req_bad_format = {
+		.common.event_type = AST_SECURITY_EVENT_REQ_BAD_FORMAT,
+		.common.version    = AST_SECURITY_EVENT_REQ_BAD_FORMAT_VERSION,
+		.common.service    = "AMI",
+
+		.account_id = s->session->username,
+		.session_tv = &s->session->sessionstart_tv,
+		.local_addr = {
+			.sin       = mansession_encode_sin_local(s, &sin_local),
+			.transport = mansession_get_transport(s),
+		},
+		.remote_addr = {
+			.sin       = &s->session->sin,
+			.transport = mansession_get_transport(s),
+		},
+	};
+
+	ast_str_set(&session_id, 0, "%p", s->session);
+	req_bad_format.session_id = ast_str_buffer(session_id);
+
+	ast_str_set(&request_type, 0, "Action: %s", action);
+	req_bad_format.request_type = ast_str_buffer(request_type);
+
+	ast_security_event_report(AST_SEC_EVT(&req_bad_format));
+}
 /*
  * Here we start with action_ handlers for AMI actions,
  * and the internal functions used by them.
@@ -3716,6 +3746,7 @@
 	ast_copy_string(action, __astman_get_header(m, "Action", GET_HEADER_SKIP_EMPTY), sizeof(action));
 
 	if (ast_strlen_zero(action)) {
+		report_req_bad_format(s, "NONE");
 		mansession_lock(s);
 		astman_send_error(s, m, "Missing action in request");
 		mansession_unlock(s);
@@ -3723,6 +3754,9 @@
 	}
 
 	if (!s->session->authenticated && strcasecmp(action, "Login") && strcasecmp(action, "Logoff") && strcasecmp(action, "Challenge")) {
+		if (!s->session->authenticated) {
+			report_req_not_allowed(s, action);
+		}
 		mansession_lock(s);
 		astman_send_error(s, m, "Permission denied");
 		mansession_unlock(s);
@@ -3732,6 +3766,7 @@
 	if (!allowmultiplelogin && !s->session->authenticated && user &&
 		(!strcasecmp(action, "Login") || !strcasecmp(action, "Challenge"))) {
 		if (check_manager_session_inuse(user)) {
+			/* XXX Session limit */
 			sleep(1);
 			mansession_lock(s);
 			astman_send_error(s, m, "Login Already In Use");
@@ -3762,10 +3797,10 @@
 		ret = call_func(s, m);
 	} else {
 		char buf[512];
+		report_req_bad_format(s, action);
 		snprintf(buf, sizeof(buf), "Invalid/unknown command: %s. Use Action: ListCommands to show available commands.", action);
 		mansession_lock(s);
 		astman_send_error(s, m, buf);
-		/* XXX Request bad format */
 		mansession_unlock(s);
 	}
 	if (ret) {




More information about the asterisk-commits mailing list